Cybersecurity researchers from VulnCheck have claimed that thousands of servers exposed to the Internet running Sophos’s Firewall solution are vulnerable to a critical flaw that allows threat actors to remotely execute malware.
The company recently published a report saying that after a quick Shodan scan, it found more than 4,400 Internet-exposed servers with a Sophos firewall vulnerable to CVE-2022-3236.
With a severity rating of 9.8, the flaw is a code injection vulnerability that allows threat actors to use a user portal and Webadmin to deliver and run malware. The vulnerability was announced in September 2022 when a hotfix was released. Soon after, Sophos released a full patch and urged its users to apply it immediately.
Now, about four months later, there are still more than 4,000 endpoints that haven’t applied the patch, making up about 6% of all Sophos firewall instances, the researchers said.
“More than 99% of Sophos Internet-facing firewalls have not been upgraded to versions containing the official fix for CVE-2022-3236,” the announcement reads. But about 93% are running versions that qualify for a hotfix, and the firewall’s default behavior is to automatically download and apply hotfixes (unless disabled by an administrator). Almost all hotfix-eligible servers likely received one, though. This still leaves over 4,000 firewalls (or about 6% of Internet-facing Sophos Firewalls) running versions that don’t receive hotfixes and are therefore vulnerable.”
> Sophos Firewall has found a serious security problem
> Sophos Firewall vulnerability gave hackers the keys to the kingdom
> Here are the best endpoint protection services
None of this is purely theoretical either. The researchers said they put the exploit warning to work — if they can do it, hackers can do it too. In fact, some may have already done so, which is why VulnCheck shared two assignment indicators – the log files located at /logs/csc.log and /log/validationError.log. If any of those contain the _discriminator field in the login request, it’s likely that someone tried to exploit the flaw. Log files cannot be used to determine whether an attempt was successful, though.
The good news is that while authenticating to the web client, the attacker needs to complete a CAPTCHA, which makes mass attacks very unlikely. However, targeted attacks are still very likely.
“The compromised code is only accessed after the CAPTCHA has been validated. A failed CAPTCHA will result in a failed exploit. Although not impossible, programmatically resolving a captcha is a significant hurdle for most attackers. Most Sophos firewalls that Internet encounters have login captcha enabled, which means that even at the most inopportune times, this vulnerability is unlikely to be successfully exploited on a large scale.
- These are the best password managers out there right now